The objective of our audit was to determine whether adequate physical and logical access controls are in place to secure the cybersecurity program systems utilized by US-CERT and safeguard the data collected and disseminated by US-CERT. Specifically, we:

Determined what and how cybersecurity data is collected and maintained by US-CERT

Determined whether US-CERT has implemented effective system security controls to safeguard the confidentiality, integrity, and availability of cybersecurity data.

Determined whether the system documentation for DHS’ cybersecurity program systems has been completed in compliance with DHS and FISMA requirements

"Adequate security controls have not been implemented on the [Mission Operating Environment] to protect the data processed from unauthorized access, use, disclosure, disruption, modification, or destruction," the IG concluded.

The report indicates the DHS US-CERT is grappling with more than six hundred network vulnerabilities, with more two-hundred of them having been identified as critical.

"The results of our vulnerability assessments revealed that [National Cyber Security Division] is not applying timely security and software patches on the [Mission Operating Environment]," the report continued.

DHS indicated that the agency has implemented "a software management tool [to] automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities,"according to a statement by DHS spokeswoman Amy Kudwa.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.